Sorry, I’m village idiot only, I’m not able adding myself as trusted vendor ;D.
If possible please mark all those applications through CIS\defense+ as trusted. Do you get an alert of those programs sand-boxing? (you should!) select ‘don’t run in sandbox’ If your still getting troubles, maybe it is a good idea to disable the sandbox while you wait for a fix.
My guess is that the you are getting repeated alerts because the file is being modified. D+ may be saying that is a different file, because it could be!
To get round this you need to confer inheritable rights on a file that is running this file. You do this by making the calling file an installer/updater in the computer security policy.
So all you need to do is work out which file is calling this file and hope it is not explorer.exe - its dangerous to make explorer.exe and installer/updater, and it is very likely to run unknown files which may be malware. You probably know which file this is already. If not I can help you find out. Basically you use Microsoft process explorer (just Google it!) to observe what is happening.
OK, after deeper testing:
when I run jscript from cmd line alone - no popup. But, if I run same command from batch file D+ popups.
I suppose D+ hate batch running jscript, because my testing jscript include: var a = 1; nothing else
So, this case is curiosity, I’ll try overcome my loafing to write all I need into one jscript file.
Alternatively just define the batch file as an installer/updater in the computer security policy. Does the jscript file get changed on each run (or each time it gets sandboxed)? (Both file modified date and contents is important).
Modified files should be sandboxed, so I need to know this to know if this is a bug or not!
Feature or bug? Hmm thats question. But D+ popup will misunderstand user, whatever you do with popup,
script will work normally. I thought that sandbox can virtualize script, that will not work in result ???
I found the (personal) way out: excluding batch file, I’m using jscript only
I have done so and can replicate a sandbox alert for test.bat running test.js, but not test.js run directly.
Making test.bat an installer/updater suppresses this alert, and CIS seems to remember this suppression until reboot. (Presumably not intended behaviour as the file does not remain in memory, I have checked). So that’s more than one issue or bug!
I am just about to try making it a safe file and rebooting
OK have done that. No s/b alert for test.bat when it is a safe file.
You can increase security slightly by adding .js extension to the executable files group. Then you get an alert for test.js when run from test.bat if test.bat is made a safe file.
But you still don’t get alert if executed from explorer.exe.
This may have something to do with the fact that .js files are executed using a file association which opens windows scripting host with the file name as a parameter, like this: “C:\WINDOWS\System32\WScript.exe” “C:\Documents and Settings\Michael\My Documents\test.js”. So the OS in a sense sees the .js file as a datafile.